USB BDM NT

[In-Tech]

Great info in this thread. I just re-read it and everything is much clearer, lol, it seemed so overwhelming at the time. I had DavidBraley/NSFW's design printed, pretty cool stuff, it took a few hours of fine tuning the holes. They were in the correct place but I think the print shop left some things to be desired. I think some better plastic would have had better results so truly no fault of the print shop.
I dug out the .bin file I BDM read on my dead p59. Most of the boot section was erased, parameters were fine and the rest of the file was erased too. I guess since the boot was fubar, there is no way to repair it without the BDM.
I bought the new u-link from Li(USBJTAG.com) too but haven't tried it yet. He said he has it reading the e38 slave now too so I'm looking forward to trying it soon

[antus]

Does anyone know a typical place in a bin from a PCM where the registers that disable the two watchdogs are set to do so? I am attempting to unbrick my P08 which has become a casualty of writing erase code for pcmhammer in assembly. The erase worked yes, but did not complete cleanly and the param block was damaged. Then it would boot, have an OSID, but not a vin or other data. It would not unlock and could not be reflashed.

So I have tracked down the pins, the same pattern on the header as the P01 can be used, and there are two missing spots for zero ohm resistors that need to be jumped for DSO / DSI, and the typical 12v through 100 ohm resistor is required for programming voltages. I am putting together an XML config for it from what I know about the flash, but the flash kernels scratch the watchdog to keep it alive, USBJTAGNT does not, and requires the platform configured to turn the watchdogs off. Where to find this information I am at a loss. I have tried a few guesses, no joy so far. I can read the flash ID so I know its working, and I did do a full erase of the flash, but the programming is a little slower and watchdogs reboot it before it successfully completes.

Code: Select all

    <Init>
      <Address>0xFFF408</Address>
      <Value>0x000F</Value>
      <Bytes>2</Bytes>
    </Init>
    <Init>
      <Address>0xFFF4C8</Address>
      <Value>0x0005</Value>
      <Bytes>2</Bytes>
    </Init>
    <Init>
      <Address>0xFFFA4A</Address>
      <Value>0x6820</Value>
      <Bytes>2</Bytes>
    </Init>
    <Init>
      <Address>0xFFFA4E</Address>
      <Value>0x7020</Value>
      <Bytes>2</Bytes>
    </Init>

Code: Select all

-reset 1
Found Address= 00000000 Intel AB28F400B5-B

It needs two more values to poke in to two more registers, one to turn off each watchdog, not just reset it like we normally do.

EDIT: Image removed, image without VPP (its not needed) below.

[antus]

After a night of trying this and that and lots of copy paste retry cycles from the program entry point from bits of data in the factory OS I can say I found the program voltage bit its: 0xFFFA11 with a default value of 0x08 and programing voltage is on bit 2 so 0x0D turns it on.

I verified this does it in USBJTAGNT software:
<Init>
<Address>0xFFFA11</Address>
<Value>0x0D</Value>
<Bytes>1</Bytes>
</Init>

This means that 12v cable in the above photo won't be required on BDM on this PCM.

Unfortunately this still doesnt get it to program so there is something else missing. But what it does mean is it proves that we can use the internal programming voltage if these PCMs are setup right, not having to use a jumper like the tutorials show so far. If I get time next time I plug my P01 in i'll try and implement this there, and since that one already works it'd save adding a wire when bench flashing those and intel P59s. It'll be a different register / bit but it proves the point. I was previously thinking that due to the way BDM works it might not be possible to get the hardware in to this state and that.s why nobody has done it yet.

I am also now thinking the watchdogs have nothing to do with it and they start disabled, so if you don't turn them on then they do not get in the way. The hard part is how to initialize the platform from scratch in to a state where flash is possible, rather than from a booted and running state like we do with the pcmhammer flash kernels. I have a theory that since erase works everything is correct except the PCM is not setup for bidirectional communications with the flash chip. When it erases I can see the power draw go up by about 20ma, but when it programs it goes back down to where it was indicating nothing is happening at the hardware level.

[kur4o]

The bdm config takes data from pcm code. There is some initial chip setup on reset, that configures the pcm for initial operation. Take data from there and make an xml with it. AT least that is done with p01. Not sure you need to disable watchdog. I think disabling interrupts is what is needed.

What year is the test pcm, I have some disassembly but not sure it will apply to hardware you have.

Great find for the vpp voltage register.

[antus]

I think its 2001, def a P08. I have been grinding through the init code, that was what I was trying to describe above. Just not hit on the right magic setup soup combo yet. Chip ID yes, Erase yes, VPP yes, just the program cycle does nothing.

[Gampy]

Wow, that's awesome, need to figure this out for them all, that jumper wire is a pain in the ...

Program cycle in Code or with BDM ??

-Enjoy

[In-Tech]

There are slave module's. Just like the e38+ I haven't spent any time trying to dump those yet, oy vey, I guess it's time.

[kur4o]

Antus,

you can check this diss. Code from 440 to 44f , including subroutines, should have all the needed chip initialization needed for bdm. There it checks for brick and enters bootblock loop. It is also possible some registers enables watchdog, that needs to be set at reset.

It is much cleaner and less than p04. Hope you make it work at the end.

[antus]

It is working, and using built in VPP!

xml attached. Its using slow program mode, the problem is RAM access. USBJTAGNT author is going to look at the bin to try and figure out the RAM init so that fast program mode can be used. But he gave me the syntax for slow mode and it worked. The key to knowing slow program would work was that erase worked. It still only takes a couple of seconds. So my PCM is unbricked and this is enough to use.

Edit: It looks like the brown DS pin isn't needed after all but didn't cause any problems anyhow, also this is a USBBDMNT pinout, the USBJTAGNT is different, so use the pin labels not the position if you are hooking up one of those.

[usbbdm]

Simply add line <Sprogram>1</Sprogram> will allow you to program. But not the fastest you can get.